IETF Logo Mail Archive

Re: [homenet] securing zone transfer

Ted Lemon <mellon@fugue.com> Wed, 12 June 2019 14:43 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB85F120123 for <homenet@ietfa.amsl.com>; Wed, 12 Jun 2019 07:43:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pmebCKKIer8n for <homenet@ietfa.amsl.com>; Wed, 12 Jun 2019 07:43:00 -0700 (PDT)
Received: from mail-qt1-x833.google.com (mail-qt1-x833.google.com [IPv6:2607:f8b0:4864:20::833]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CB771200B3 for <homenet@ietf.org>; Wed, 12 Jun 2019 07:43:00 -0700 (PDT)
Received: by mail-qt1-x833.google.com with SMTP id x47so18735817qtk.11 for <homenet@ietf.org>; Wed, 12 Jun 2019 07:42:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=x9d4tFZ2W1/ylmHUun8ATTS19hogidtmATo6p2/mvpk=; b=xVowdEMwRjoKojZY5FGClfjy8ZfIwlTy2tCQn97TdMOYLWlJC+GqD8jJeTVEUiRVFF fL8ABg768YaZRl6HUx9X2d4KwD9WPIkLhTCubZRcCseSK0rqb9ncm0LET23QBs8kkTB5 OLfOu18DK6Fw3AZhpkBpYVnPPEzs34iir1hn48V0DN5RPVl3A5SIZHDV4GqynuB7RNMQ CUjFIifzF4BEbJlM2kWavZlYc2tmUKOrean75voguHl/8cdZji/QzaC+9sVV7+fn3rtq I1FshihxG6f7dKz9shIOBby4hZtyF27vlJb8yhOcnmZdHfBqWqX/J7t2mMvJXC6I9svp 4qlg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=x9d4tFZ2W1/ylmHUun8ATTS19hogidtmATo6p2/mvpk=; b=FWKhau54yPvG6apaufEHKF9vA71SSLKZa5lG9n3WLsBxBXGqi3JvwdD9a5e8kBRoY4 US3kQ4stCKlSXGtm0DGX8ygbCvTIcKAHC4wtGnFIcGoixiaIqrXc/PEYNFV3mqU1do4k KE5vHUgFRlHKpGtPLK05xXJYQJMavry+fztxI3BEp4yai0/lfNZz0TDIr2bvWzMLYVn+ DbzG1b6rbg099UwOdca3veR7b+UYMg0QhIFJ3NBwe/pUPji8aZQbBZBeHHZiiglA4rQx GoY6IHDeDraky+svSDdssL6LcDE9348LtoM48RV8foCxWjxgCV4NtK1Ot0zb37bsDG/O Dufw==
X-Gm-Message-State: APjAAAUFZadBkMphInMIyvapWOgzja8I5EGvEmp43j3DFzo0sha8qAWa UOM2dfAYhTkUcMqswQjmlLwL+w==
X-Google-Smtp-Source: APXvYqz3INXryOkDoU4LzYSbh/2qIbuRCyy98lQW56DyJw7kUrjJ/GCaepEh4oymtoQlyJ1wW8cbCg==
X-Received: by 2002:ac8:19ac:: with SMTP id u41mr53109074qtj.46.1560350578857; Wed, 12 Jun 2019 07:42:58 -0700 (PDT)
Received: from [192.168.8.100] (c-73-186-137-119.hsd1.ma.comcast.net. [73.186.137.119]) by smtp.gmail.com with ESMTPSA id f9sm8392586qtl.75.2019.06.12.07.42.56 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 12 Jun 2019 07:42:57 -0700 (PDT)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <EC7FDA4F-1859-4B35-A8AC-D33E1A96F979@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_3A6741FD-31C1-4A5F-B1E8-F1D6423CA915"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Wed, 12 Jun 2019 10:42:55 -0400
In-Reply-To: <4109.1560349340@localhost>
Cc: Juliusz Chroboczek <jch@irif.fr>, homenet <homenet@ietf.org>
To: Michael Richardson <mcr+ietf@sandelman.ca>
References: <CADZyTkkgd8f49V+yoZvPZXx3b-_YRzpgUY1-obroq9QMLnFWNw@mail.gmail.com> <878su8fj24.wl-jch@irif.fr> <2348.1560261275@localhost> <87ftofwqut.wl-jch@irif.fr> <27503.1560302791@localhost> <87ef3zwoew.wl-jch@irif.fr> <4109.1560349340@localhost>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/LuhD1AtghFfr3n1xHDNB_gJ8Xeo>
Subject: Re: [homenet] securing zone transfer
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Jun 2019 14:43:03 -0000

On Jun 12, 2019, at 10:22 AM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
> There are no passwords.

Yes please.

Juliusz, what you are saying is what you said to me when I did the original homenet naming architecture, which you said was too heavyweight.  There seemed to be consensus in the room for dropping this, and so we did.   But as time has gone by, it’s become more and more clear to me that even though this use case does not apply to every device in the home, it is a use case that applies in a significant number of cases.

We can of course build this from ad-hoc, non-standardized tools like dyndns.   We can insist that anyone who wants to address this use case has to either be a security expert, or be vulnerable.   Or we can figure out a clean way to do it using the building blocks we already have: HNCP, DNS Update, DHCP PD, etc.   And then we can write a standard that describes how to do that, and see how much uptake it gets in the real world.

I would also like to point out that in addition to Ray’s point about DANE, being able to publish an external name means that you can get a cert from Lets Encrypt.   And _that_ means that we can close the frustrating gap that we have now with home network security, which is that the web UI isn’t secure.   And we can do this with any browser, not just with browsers that support TLSA (which, unfortunately, are rare as hen’s teeth).

I’d like to also point out that one of your objections was that implementing something like the Service Registration Protocol would be too hard, and too heavy.  It turns out to fit into 12k of code space in a constrained device operating over 802.15.4.   The SRP proxy is a bit larger, but quite reasonable.   The code for both is on the hackathon github repo, and is under active development (but works at present):

https://github.com/IETF-Hackathon/mDNSResponder <https://github.com/IETF-Hackathon/mDNSResponder>

The README file only talks about the Discovery Proxy, but the ServiceRegistration subdirectory contains a complete simple service registration client: srp-simple.c
It also includes a registration proxy: srp-gw.c

Getting the SRP gateway to talk to a front-end naming primary would be very simple.   Getting AXFR to work in either direction would be as well.   It’s just a service, after all.

v2.23.0 | Report a Bug | By Email